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AMENDMENTS TO THE CLAIMS 



1 . 1 . (Previously Presented) A policy-based network security management system, 

2 the system comprising: 

3 a security management controller comprising one or more processors; 

4 a computer-readable medium carrying one or more sequences of instructions for 

5 policy-based network security management, wherein execution of the one or 

6 more sequences of instructions by the one or more processors causes the one 

7 or more processors to perform the steps of: 

8 receiving a set of data regarding a user of a network, wherein the set of data is 

9 a first set of data that is collected over a first duration of time; 

10 receiving a second set of data that is collected over a second duration of time, 

1 1 wherein the first duration of time is shorter than the second duration of 

12 time; 

13 creating and storing a risk level of the user based on the second set of data, 

14 wherein the second duration of time is sufficient to collect historical 

15 data regarding past malicious activities of the user, and wherein the 

16 risk level is a discrete value representing a long-term measurement of 

17 the likeUhood of the user harming the network; 

1 8 creating and storing a current alert level based on the first set of data, wherein 

19 the first duration of time is of a length appropriate for assessing current 

20 activities of the user, and wherein the current alert level is a discrete 

21 value representing a current measurement of the likelihood of the user 

22 negatively affecting the network; 

23 automatically deciding on a course of action based on the risk level and the 

24 current alert level, wherein the course of action may be adverse to the 

25 user although the current alert level is insufficient to establish whether 

26 the user is performing a malicious action; and 

27 sending signals to one or more network elements in the network to implement 

28 the course of action. 
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1 2. (Original) The system of Claim 1, wherein the set of data includes at least one or 

2 more alerts related to the user. 

1 3. (Original) The system of Claim 1 , wherein the signals include multiple alerts 

2 generated by multiple users; and the system further comprising sequences of 

3 instructions for correlating the multiple alerts to the multiple users. 



1 4-5. (Canceled) 

(Previously Presented) The system of Claim 1, further comprising sequences of 
instructions for performing the steps of: 

receiving signals related to an external source including at least an alert assessment 

relevant to the network as a whole; and 
creating and storing a current alert level value based on the alert assessment. 



1 7. (Original) The system of Claim 1, further comprising sequences of instructions 

2 for performing the steps of: 

3 receiving signals carrying performance information related to a health level of the 
\ 4 network; and 

5 determining the course of action based at least in part on the set of data and the 

6 performance information. 

1 8. (Original) The system of Claim 1 further comprising: 

2 a plurality of routers for routing information sent by users and servers to a variety of 

3 destinations; 

4 a subscriber management system for managing a network; 
}. 5 a controller for executing the sequences of instructions; 

6 a network element for generating input for the set of data; and 

7 sequences of instructions for sending signals to the network elements. 
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1 9-15. (Canceled) 

1 1 6. (Previously Presented) A method of providing policy-based network security 

2 management, comprising the steps of: 

3 receiving a set of data regarding a user of a network, wherein the set of data is a first 

4 set of data that is collected over a first duration of time; 

5 receiving a second set of data that is collected over a second duration of time, wherein 

6 the first duration of time is shorter than the second duration of time; 

7 creating and storing a risk level of the user based on the second set of data, wherein 

8 the second duration of time is sufficient to collect historical data regarding 

9 past malicious activities of the user, and wherein the risk level is a discrete 

1 0 value representing a long-term measurement of the likelihood of the user 

1 1 harming the network; 

12 creating and storing a current alert level based on the first set of data, wherein the first 

1 3 duration of time is of a length appropriate for assessing current activities of 

14 the user, and wherein the current alert level is a discrete value representing a 

1 5 current measurement of the hkelihood of the user negatively affecting the 

16 network; 

17 automatically deciding on a course of action based on the risk level and the current 

1 8 alert level, wherein the course of action may be adverse to the user although 

19 the ciurent alert level is insufficient to estabUsh whether the user is 

20 performing a malicious action; and 

21 sending signals to one or more network elements in the network to implement the 

22 course of action. 

1 17. (Original) The method of Claim 16 wherein the set of data includes at least one 

2 or more alerts related to the user. 

1 18. (Original) The method of Claim 1 6, wherein the signals include multiple alerts 

2 generated by multiple users, and the method fiirther comprises correlating the 

3 multiple alerts to the multiple users. 
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1 19-20. (Canceled) 



1 21. (Previously Presented) The method of Claim 1 6 further comprising receiving 

2 signals related to an external source including an alert assessment relevant to the 

3 network as a whole, wherein the current alert level is also based on the alert 

4 assessment. 

1 22. (Original) The method of Claim 1 6 further comprising receiving signals carrying 

2 performance information related to a health level of the network, wherein the course 

3 of action is based on the set of data and the performance information. 

1 23-26. (Canceled) 

1 27. (Previously Presented) A method of policy-based network security 

2 management, comprising the computer-implemented steps of: 

3 collecting network performance statistics related to an overall health of a network 

4 and individual performance statistics of one or more individual units of the 

5 network, the collecting being performed by a performance management 

6 system; 

7 sending the network performance statistics to a controller for analysis; 

8 computing an overall health state based on the network performance statistics and 

9 the individual performance statistics, using the controller; 

10 reading external alert data from an external alert source, using the controller; 

1 1 collecting security event data from the network; 

12 sending the security event data to a fauh management system; 

13 using the fault management system for checking for duplications in the security 

14 event data, and deduplicating duplicate security events in the security 

15 event data; 

16 calculating an alert state based on the security event data from the fault 

1 7 management system and the external alert data, wherein the alert state is a 
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1 8 discrete value representing a cxirrent measurement of the likelihood of the 

1 9 network being negatively affected; 

20 obtaining user information from a subscriber management system; 

21 correlating the security event data from the fault management system with the 

22 user information to form correlated security event data; 

23 reading external user risk data from an external user risk source into the 

24 controller; 

25 calculating a user risk state based on the correlated security event data and the 

26 extemal user risk data, using the controller, wherein the user risk state is a 

27 discrete value representing a long-term measurement of the likelihood of 

28 the network being harmed; 

29 calculating a decision regarding whether to take corrective action based on the 

30 overall health state, the alert state, and the user risk state, using the 

31 controller; 

32 sending the decision from the controller to the subscriber management system; 

33 and 

34 sending directives, related to the decision, from the subscriber management 

35 system to the network. 

1 28. (Previously Presented) A system comprising: 

2 a fault management system that receives network security data and deduplicates 

3 duphcate indications of security events in the network security data to form 

4 deduplicated security event data; 

5 a subscriber management system that manages subscribers using a network, wherein 

6 the subscriber management system stores subscriber information about 

7 individual users and is capable of sending directives to the individual users 

8 based on a decision to take corrective action toward the individual users; 

9 wherein the deduplicated security event data from the fault management system is 

10 correlated to the subscriber information to form correlated network security 

11 data; 
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12 a performance management system that receives overall performance data related to 

13 an overall health of the network and individual performance data related to a 

14 health of one or more individual xmits of the network; and 

15 a controller that: 

16 receives external alert data from an external alert source, external user risk 

17 data from an external user risk source, the deduplicated security event 

1 8 data, the correlated network security data, the overall performance 

19 data, and the individual performance data; 

20 computes an alert state based on at least the external alert data and the 

21 deduplicated security event data, wherein the alert state is a discrete 

22 value representing a current measurement of the likelihood of the 

23 network being negatively affected; 

24 computes a user risk state based on at least the external user risk data and the 

25 correlated network security data, wherein the user risk state is a 

26 discrete value representing a long-term measurement of the likelihood 

27 of the network being harmed; 

28 computes a health state based on at least the overall performance data and the 

29 individual performance data; 

30 makes the decision whether to take corrective action based on at least the alert 

3 1 state, the user risk state, and the health state; and 

32 causes directives that implement the decision to be sent to the network. 

1 29. (Previously Presented) An apparatus for providing policy-based network 

2 security management, comprising: 

3 means for receiving a set of data regarding a user of a network, wherein the set of 

4 data is a first set of data that is collected over a first duration of time; 

5 means for receiving a second set of data that is collected over a second duration of 

6 time, wherein the first duration of time is shorter than the second duration of 

7 time; 

8 means for creating and storing a risk level of the user based on the second set of data, 

9 wherein the second duration of time is sufficient to collect historical data 
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10 regarding past malicious activities of the user, and wherein the risk level is a 

1 1 discrete value representing a long-term measurement of the likelihood of the 

12 user harming the network; 

13 means for creating and storing a current alert level based on the first set of data, 

14 wherein the first duration of time is of a length appropriate for assessing 

15 current activities of the user, and wherein the current alert level is a discrete 

16 value representing a current measurement of the likelihood of the user 

1 7 negatively affecting the network; 

18 means for automatically deciding on a course of action based on the risk level and the 

19 current alert level, wherein the course of action may be adverse to the user 

20 although the current alert level is insufiBcient to establish whether the user is 

21 performing a malicious action; and 

22 means for sending signals to one or more network elements in the network to 

23 implement the coxwse of action. 

1 30. (Canceled) 

1 31. (New) The apparatus of Claim 29, wherein the first set of data includes at least one or 

2 more alerts related to the user. 

1 32. (New) The apparatus of Claim 29, wherein the signals include multiple alerts 

2 generated by multiple users; and the apparatus further comprises means for 

3 correlating the multiple alerts to the multiple users. 

1 33. (New) The apparatus of Claim 29, further comprising: 

2 means for receiving signals related to an extemal source including at least an alert 

3 assessment relevant to the network as a whole; and 

4 means for creating and storing a current alert level value based on the alert 

5 assessment. 
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1 34. (New) The apparatus of Claim 29, further comprising: 

2 means for receiving signals carrying performance information related to a health level 

3 of the network; and 

4 means for determining the course of action based at least in part on the set of data and 

5 the performance information. 

1 35. (New) The apparatus of Claim 29, further comprising: 

2 means for communicatively connecting to a plurality of routers that route information 

3 sent by users and servers to a variety of destinations; 

4 means for communicatively connecting to a subscriber management system for 

5 managing a network; 

6 means for commimicatively connecting to a network element for generating input for 

7 the first set of data; and 

8 means for sending signals to the network element. 
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